That was just an example I wrote while writing the email. Actual one does have a "by".
The ACLs parse without warning (except the catch-all where dn=*). This is the real one in my slapd config:
access to dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$"
attrs="entry,@MyResourceClasss"
by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue
by * break
Thanks
-Rakesh
--On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal <rakesh.aggarwal@gmail.com> wrote:What you pasted is not a valid ACL statement. I expect it to fail. You may want to try adding the word "by" in front of "group.exact".
Hi folks!
I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio
as the client on a different machine.
I am having issues trying to setup ACL using Group. The only non-standard
aspect in my schema design is that the groups container is located in a
organization specific sub-tree of DIT and not under DIT root, e.g.
access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com"
attrs = "entry,@myResourceClass"
group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com"
write continue
by * break
access to * by * read
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration